Output of renderer 'notebook' violates Content Security Policy

[ajit-kolathur]

Setup description

We have plotly.py setup with pio.renderers.default = "notebook" and we use nbconvert 6.5 to convert executed notebooks to HTML reports with input cells stripped out. These HTMLs are served by a simple node.js front end that has Content Security Policies for script-src setup due to security requirements.

Issue description

The exported HTML contains inline script tags one of which has plotly.js and its dependencies. One of the dependencies seems to violate our script-src Content Security Policy as it is using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings Reference

CSP Error from Chrome:

1. Content Security Policy of your site blocks the use of 'eval' in JavaScript`

1. The Content Security Policy (CSP) prevents the evaluation of arbitrary strings as JavaScript to make it more difficult for an attacker to inject unathorized code on your site.

   To solve this issue, avoid using eval(), new Function(), setTimeout([string], ...) and setInterval([string], ...) for evaluating strings.

   If you absolutely must: you can enable string evaluation by adding unsafe-eval as an allowed source in a script-src directive.

   ⚠️ Allowing string evaluation comes at the risk of inline script injection.

2. AFFECTED RESOURCES
1. 1 directive

1. Source Location	Directive	Status
   report:14743	script-src	blocked

Ask

Is there a way to provide plotly.py the ability to use the plotly.js strict bundle and hence avoid having to use dependencies that violate CSP?